September 17, 2021

Volume XI, Number 260

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

NYDFS Issues Ransomware Guidance Outlining Expected Security Controls

On June 30, 2021, the New York State Department of Financial Services (“NYDFS,” the “Department”) issued guidance to all New York state-regulated entities on ransomware (the “Guidance”), identifying controls it expects regulated companies to implement whenever possible.

To help prevent successful ransomware attacks, the Department outlines a playbook of known cybersecurity countermeasures and controls. Notably, the guidance states that, given the substantial risk from ransomware, “every NYDFS-regulated company should seek to implement the controls outlined in this Guidance to the extent possible.”

With respect to reporting ransomware incidents to the Department, the Guidance provides that because such attacks pose an inherent risk to the confidentiality, integrity and availability of an organization’s data, regulated entities should assume that any successful deployment of ransomware on their internal network should be reported to NYDFS as promptly as possible and within 72 hours at the latest. The Department noted it may expressly mandate this in its reporting requirements going forward.

With respect to ransomware prevention, the Department expects regulated companies to implement the following controls whenever possible:

  • Email filtering and anti-phishing training for employees, including regular exercises and blocking malicious attachments and links;

  • Vulnerability and patch management, including a documented program to identify, assess, track and remediate vulnerabilities on all enterprise assets;

  • Multi-Factor Authentication, including for all logins to remote or internal privileged accounts;

  • The disabling of Remote Desktop Protocol (“RDP”) access wherever possible, and if RDP is deemed necessary, restricting access only to whitelisted originating sources;

  • Privileged access management, including implementing the principle of least privileged access;

  • A way to monitor systems and respond to suspicious activity alerts, including an Endpoint Detection Response (“EDR”) solution;

  • Comprehensive, segregated backups that will allow for recovery in the event of a ransomware attack; and

  • An incident response plan that explicitly addresses ransomware attacks and will undergo testing, including with the involvement of senior leadership.

The Department noted that it also is considering revisions to its Cybersecurity Regulation to address the evolving cyber threat landscape and that it welcomes engagement with industry and experts on revisions to the NYDFS Cybersecurity Regulation. Additionally, NYDFS notes that it, like the FBI, recommends against paying ransoms.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 193
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement